I'm trying to access my GAE app from outside the browser.
At the moment it's Python script but I'm planning desktop C++ app.
I'm fallowing Using OAuth 2.0 for Installed Applications.
So far I managed to access user info:
https://www.googleapis.com/oauth2/v1/userinfo?alt=json
However every call to my GAE ends up with redirection to login page.
Is there a way to do authenticated calls to GAE from a script?
Please take a look at my test code
My goal:
Use Python script on my local machine to get data (json endpoint, static file, html, whatever) from my GAE app as authenticated user.
I believe this is sort of possible using ClientLogin (deprecated) https://developers.google.com/accounts/docs/AuthForInstalledApps.
However, I have found it much easier to just have an API secret string that I use (in a header, over HTTPS) to say that the request is from an approved script.
Alternatively you can do the oauth login flow (whichever flow you want, using your own oauth app), but you don't want to use any login: tags in app.yaml, just do it entirely in your Python code.
Related
I'm attempting to use the Microsoft Graph API to send emails and edit excel documents from my works 355 environment.
I'm able to get into Active directory and register an app, but I'm unsure how to figure out authentication without having a webervice, azure hosting etc.
It seems that most authentication flows need a redirect URl to receive the token after sending the client id and secret.
Is there a way for me to authenticate from a python script sitting on a local Windows machine with no static IP?
The client credentials flow doesn't require a redireturi there is a good sample of using the MSAL in phython https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/confidential_client_secret_sample.py
If you want to use delegate authentication the other way would be the device code flow https://github.com/Azure-Samples/ms-identity-python-devicecodeflow
Another option is the native redirect you might want to look at something like https://pypi.org/project/msal-interactive-token-acquirer/
I created a Flask-Webservice with Python that runs independently inside a docker container. I then uploaded the docker image to an Azure Container Registry. From there I can create a WebService (for Containers) with some few clicks in the Azure Portal, that runs this container. So far so good. It behaves just as I want it to.
But of course I don't want anyone to access the service. So I need some kind if authentication. Luckily (or so I thought) there is a built-in authentication-mechanism (I think it is based on OAuth ... I am not that well versed in security issues). Its documentation is a bit sparse on what actually happens and also concentrates on solutions in C#.
I first created a project with Google as described here and then configured the WebApp-Authentication with the Client-Id and Secret. I of course gave Google a java script source and callback-url, too.
When I now log off my Google account and try a GET-Request to my Webservice in the Browser (the GET should just return a "hello world"-String), I am greeted with a Login Screen ... just as I expected.
When I now login to Google again, I am redirected to the callback-url in the browser with some kind of information in the parameters.
a token perhaps? It looks something like this:
https://myapp.azurewebsites.net/.auth/login/google/callback?state=redirxxx&code=xxx&authuser=xxx&session_state=xxx&prompt=xxx).
Here something goes wrong, because an error appears.
An error occurred.
Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for details.
Faithfully yours, nginx.
As far as I now, nginx is a server software that hosts my code. I can imagine that it also should handle the authentication process. It obviously lets all requests through to my code when authentication is turned off, but blocks un-authenticated accesses otherwise and redirects to the google login. Google then checks if your account is authorized for the application and redirects you to the callback with the access token along with it. This then returns a cookie which should grant my browser access to the app. (I am just reproducing the documentation here).
So my question is: What goes wrong. Does my Browser not accept the cookie. Did I something wrong when configuring Google+ or the Authentication in the WebApp. Do I have to use a certain development stack to use the authentication. Is it not supported for any of the technologies I use (Python, Flask...).
EDIT
#miknik:
In Microsofts documentation of the authentication/authorization it says
The authentication and authorization module runs in the same sandbox
as your application code. When it's enabled, every incoming HTTP
request passes through it before being handled by your application
code.
...
The module runs separately from your application code and is
configured using app settings. No SDKs, specific languages, or changes
to your application code are required.
So while you are probably right that the information in the callback-redirect is the authorization grant/code and that after that this code should now be used to get an access token from Google, I don't quite understand how this would work in my situation.
As far as I can see it Microsofts WebApp for Container-Resource on Azure should take care of getting the token automatically and return it as part of the response to the callback-request. The documentation states 4 steps:
Sign user in: Redirects client to /.auth/login/.
Post-authentication: Provider redirects client to /.auth/login//callback.
Establish authenticated session: App Service adds authenticated cookie to response.
Serve authenticated content: Client includes authentication cookie in subsequent requests (automatically handled by browser).
It seems to me that step 2 fails and that that would be exactly what you wrote: that the authorization grant is to be used by the server to get the access token but isn't.
But I also don't have any control over that. Perhaps someone could clear things up by correcting me on some other things:
First I can't quite figure out which parts of my problem represent which role in the OAuth-scheme.
I think I am the Owner, and by adding users to the list in the Google+-Project I authorize them to use my service.
Google is obviously the authorization server
my WebService (or better yet my WebApp for Containers) is the resource server
and finally an application or postman that does the requests is the Client
In the descriptions of OAuth I read the problematic step boils down to: the resource server gets the access token from the authorization server and passes it along to the client. And Azures WebApps Resource is prompted (and enabled) to do so by being called with the callback-url. Am I right somewhere in this?
Alas, I agree that I don't quite understand the whole protocol. But I find most descriptions on the net less than helpful because they are not specific to Azure. If anyone knows a good explanation, general or Azure-specific, please make a comment.
I found a way to make it work and I try to explain what went wrong as good as I can. Please correct me if I go wrong or use the wrong words.
As I suspected the problem wasn't so much that I didn't understand OAuth (or at least how Azure manages it) but the inner workings of the Azure WebApp Service (plus some bad programming on my part). Azure runs an own Server and is not using the built-in server of flask. The actual problem was that my flask-program didn't implement a WSGI-Interface. As I could gather this is another standard for python scripts to interact with any server. So while rudimentary calls from the server (I think Azure uses nginx) were possible, more elaborate calls, like the redirect to the callback url went to dev/null.
I build a new app following this tutorial and then secured it by following the authentication/authorization-tutorial and everything worked fine. The code in the tutorial implements WSGI and is probably more conform to what Azure expects. My docker solution was too simple.
My conclusion: read up on this WSGI-standard that flask always warned me about and I didn't listen and implement it in any code that goes beyond fiddeling around in development.
I am trying to create a daemon python application which will get emails from outlook server using Microsoft outlook graph API. They have provided excellent tutorial and documentation on how to get it done for python app like django and flask. But I want to create daemon script which can get access code without using web interface(which was used in django).
Note: This app will only collect email from single email and will feed it to db.
Any help is appriciated.
It really depends on what kind of security you need. You can have your daemon/service authenticate with username/password directly, or you can have it authenticate with a certificate.
There are several different authentication scenarios, take a look at the docs page.
Either way, you need to register your daemon as an app in Azure and give it permissions to the Outlook API, just as if it were a web app.
My question may sound stupid, but I just want to know if this is possible to browse the web pages which needs authentication after doing the authentication with python requests library.
I've a script to login into the application, which successfully authenticate the user into application, but is there a way to reflect that in a browser like in Chrome? so that user could directly access the authenticated page without having to fill the form and login. It's happening inside my application, so I'm not breaching any privacy policy of such things.
Any suggestions would be great.
For example I authenticated myself into http://example.com/login through the script, I want to be able to directly browse http://example.com/user/home in the browser. How this could be possible?
The simplest way is to have your python application log in the web application, and the have it request an token. Then the script will open the browser, passing along the token. Your web application takes that token and uses it in lieu of the login form to authenticate your user and create their session.
Take a look at OAuth, I think it has specific workflows for this kind of scenario. Otherwise you can craft your own.
I'm currently building a Python webapp on the Google App Engine and I want to expose various parts of my application via a JSON API. This API may be used in the form of a mobile client, or (for the purposes of testing) a headless Python script.
I need to be able to authenticate users before they perform operations on the API. I notice that the Users API does not support simple authentication [in the form of authenticate(username, password)] so merely sending the username/password to a URL and then later using some given token would not work.
Ultimately, I would like the application to use Facebook Connect in addition to its own logins.
Could somebody please suggest how is the best way to authenticate users in this situation, using a remote JSON API and the Google App Engine?
Cheers
You might want to check out the recently released oauth support. Failing that, you can implement your own authentication, for example by using simple or digest authentication.
Just for the record, I ended up going with the wonderful Tipfy framework in the end.